Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Repo info
Activity
  • Sep 17 13:24
    maximthomas closed #396
  • Sep 17 13:24
    maximthomas commented #396
  • Sep 16 09:32
    huyifei2016 starred OpenIdentityPlatform/OpenAM
  • Sep 14 12:09
    vharseko updated the wiki
  • Sep 14 12:05
    vharseko updated the wiki
  • Sep 14 08:11
  • Sep 14 08:08
    ogis-miyamura starred OpenIdentityPlatform/OpenAM
  • Sep 13 09:21

    vharseko on master

    Fix LDAP connection leak during… (compare)

  • Sep 13 09:21
    vharseko closed #397
  • Sep 13 08:37
    vharseko opened #397
  • Sep 13 08:29

    vharseko on master

    Corrected namespace for the Ses… (compare)

  • Sep 13 08:29
    vharseko closed #395
  • Sep 13 05:12
    maximthomas assigned #396
  • Sep 12 22:04
    Fisjkars edited #396
  • Sep 12 22:03
    Fisjkars opened #396
  • Sep 11 11:00
  • Sep 10 13:39
    vharseko opened #395
  • Sep 10 08:53

    vharseko on master

    Do not validate time when handl… (compare)

  • Sep 10 08:53
    vharseko closed #394
  • Sep 10 08:10
    ajlugt opened #394
OpenIdentityPlatformCommunity released 4.0.1 at OpenIdentityPlatform/OpenAM
https://github.com/OpenIdentityPlatform/OpenAM/releases/tag/4.0.1
Shiva Kumar
@rahogata
hi
Shiva Kumar
@rahogata
is any document available for extending openam? and how to develop them?
Shiva Kumar
@rahogata
Hi I am getting below error when I try to configure OAuth2 provider, can I know any reason for that?
An error occurred while processing this request. Contact your administrator
Shiva Kumar
@rahogata
I am running the application as given in github readme file. No logs are displayed could anyone please help me change logging configuration it will be great
vharseko
@vharseko
@shiva2991 try set -Dcom.iplanet.services.debug.level=message java property
Shiva Kumar
@rahogata
thank u, I found the logs in $HOME/openam/openam/debug directory and the cause for the error found in the stack trace is

ERROR: ConsoleServletBase.onUncaughtException
com.iplanet.jato.NavigationException: Exception encountered during forward
Root cause = [java.lang.IllegalStateException: type parameter is required]
at com.iplanet.jato.view.ViewBeanBase.forward(ViewBeanBase.java:380)
at com.iplanet.jato.view.ViewBeanBase.forwardTo(ViewBeanBase.java:261)
at com.sun.identity.console.base.AMViewBeanBase.forwardTo(AMViewBeanBase.java:162)
at com.sun.identity.console.base.AMPrimaryMastHeadViewBean.forwardTo(AMPrimaryMastHeadViewBean.java:113)
at com.iplanet.jato.ApplicationServletBase.dispatchRequest(ApplicationServletBase.java:981)
at com.iplanet.jato.ApplicationServletBase.processRequest(ApplicationServletBase.java:615)
at com.iplanet.jato.ApplicationServletBase.doGet(ApplicationServletBase.java:459)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:621)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:728)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:305)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:51)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at org.forgerock.openam.validation.ResponseValidationFilter.doFilter(ResponseValidationFilter.java:44)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at org.forgerock.openam.headers.SetHeadersFilter.doFilter(SetHeadersFilter.java:88)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at com.sun.identity.setup.AMSetupFilter.doFilter(AMSetupFilter.java:111)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at org.forgerock.openam.audit.context.AuditContextFilter.doFilter(AuditContextFilter.java:51)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:222)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:123)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:502)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:100)
at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:953)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408)
at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1041)
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:603)
at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:312)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at java.lang.Thread.run(Thread.java:748)

Root cause:
java.lang.IllegalStateException: type parameter is required
at com.sun.identity.console.task.model.OAuth2ModelImpl.getDisplayName(OAuth2ModelImpl.java:53)
at com.sun.identity.console.task.ConfigureOAuth2ViewBean.beginDisplay(ConfigureOAuth2ViewBean.java:108)
at com.iplanet.jato.taglib.UseViewBeanTag.doStartTag(UseViewBeanTag.java:149)
at org.apache.jsp.console.task.ConfigureO

vharseko
@vharseko
need "type" param in request: please attach HAR log or write steps for reproduce
Shiva Kumar
@rahogata
Hi, I was able to create oauth2 agent & successfully used OpenAM as OAuth2 provider, Is it possible to use it as broker that will generate oauth2 token by authenticating with google, facebook?
vharseko
@vharseko
@maximthomas need test OpenIdentityPlatform/OpenAM#18 (reported @shiva2991) old console UI bug ? work in XUI ?
Maxim Thomas
@maximthomas
@vharseko @shiva2991 Hello, i've tested OpenAM as OAuth2 provider. So, OAuth2 provider settings works both in old UI and XUI, OAuth2 client application settings works only in UI (there is redirect from XUI to old UI), I've set up provider for realm, registered application, autenticated, got access token, and get access token info without getting eny errors. @shiva2991 when did you get this error, you metioned earlier? How can I reproduce?
vharseko
@vharseko
@maximthomas , @shiva2991 reported problem in reverse case "OpenAM as OAuth2 Service Provider to other Identity Provider (like Facebook)"
Maxim Thomas
@maximthomas

Just set up OpenAM authentication via Facebook IDP, got fb user's attributes, but after setting new password got error:

javax.security.auth.login.LoginException: java.lang.NullPointerException
    at org.forgerock.openam.cts.CTSPersistentStoreImpl.deleteAsync(CTSPersistentStoreImpl.java:153)
    at org.forgerock.openam.authentication.modules.oauth2.OAuth.process(OAuth.java:272)
    at com.sun.identity.authentication.spi.AMLoginModule.wrapProcess(AMLoginModule.java:1061)
    at com.sun.identity.authentication.spi.AMLoginModule.login(AMLoginModule.java:1229)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke(Method.java:498)
    at com.sun.identity.authentication.jaas.LoginContext.invoke(LoginContext.java:219)
    at com.sun.identity.authentication.jaas.LoginContext.login(LoginContext.java:127)
    at com.sun.identity.authentication.service.AMLoginContext.runLogin(AMLoginContext.java:570)
    at com.sun.identity.authentication.server.AuthContextLocal.submitRequirements(AuthContextLocal.java:586)
    at com.sun.identity.authentication.UI.LoginViewBean.processLoginDisplay(LoginViewBean.java:1373)
    at com.sun.identity.authentication.UI.LoginViewBean.addLoginCallbackMessage(LoginViewBean.java:1517)
    at com.sun.identity.authentication.UI.LoginViewBean.getLoginDisplay(LoginViewBean.java:1023)
    at com.sun.identity.authentication.UI.LoginViewBean.processLogin(LoginViewBean.java:871)
    at com.sun.identity.authentication.UI.LoginViewBean.forwardTo(LoginViewBean.java:522)
    at com.iplanet.jato.ApplicationServletBase.dispatchRequest(ApplicationServletBase.java:981)
    at com.iplanet.jato.ApplicationServletBase.processRequest(ApplicationServletBase.java:615)
    at com.iplanet.jato.ApplicationServletBase.doGet(ApplicationServletBas

Created issue OpenIdentityPlatform/OpenAM#23

After disabling Prompt for password setting and activation code: option in OAuth authentication module, error disappeared.

Maxim Thomas
@maximthomas
@shiva2991 , I've just reproduced your exception, thx to @vharseko, taking OpenIdentityPlatform/OpenAM#18 to myself
Rohit Joshi
@rohit1991
Hello All :)
Rohit Joshi
@rohit1991

Hi :)
I am exploring on Open Identity community edition of OpenAM where I have one query -
Below is the link to 'Web Agent' module which is integral part of OpenAM and we can intercept and control everything with the help of this agent for OpenAM :

https://backstage.forgerock.com/docs/openam-web-policy-agents/4.1/web-pa-guide/#chap-web-pa-apache

Do we have such Web Agent module available within community edition too ? to be installed on apache web server ?

Can you please guide me with how to setup such a web agent with community edition ?
Thanks !

vharseko
@vharseko
@rohit1991 apache linux x64 ?
Rohit Joshi
@rohit1991
@vharseko , Yes..That will also fine..do u have any inputs ?
kedarjapan
@kedarjapan
Hello Guys,
I'm trying to setup OpenAM 14.1.5 war on Tomcat 8 with Windows 64 bit OS. I'm getting exact same issue as mentioned here. tried both default as well as custom configuration options.
OpenIdentityPlatform/OpenAM#57
any pointers on this issue ?
vharseko
@vharseko
@rohit1991 check https://github.com/OpenIdentityPlatform/OpenAM-Web-Agents#downloads (without proprietary FR binary license) Thanks to @FireBurn
@kedarjapan please attach full logs
kedarjapan
@kedarjapan
@vharseko logs are attached in OpenIdentityPlatform/OpenAM#57
satyadevaddepally
@satyadevaddepally
Anybody having document to use openam as idp and google apps as sp. I tried to follow configuration and keep on getting invalid saml request
satyadevaddepally
@satyadevaddepally
i followed this only i am getting invalid saml request
vharseko
@vharseko
which version ? attach a log with an error
barramandi
@barramandi

Testing OpenAM version 14.1.8 (OpenAM 14.1.8 Build 900d6316b5 )

Using the openid demo sample from https://github.com/ForgeRock/openid

Setup OIDC provider and OIDC client as per the requirement of the demo.
Start Implicit, login as user, user prompted for consent, and OIDC flow successful for first time.

Redo the Implicit flow again with same browser session, OpenAM will return error to the authorization request

{
"error_description": "Error running OIDC claims script: java.util.concurrent.ExecutionException: javax.script.ScriptException: javax.script.ScriptException: java.lang.SecurityException: Access to Java class \"java.util.LinkedHashMap$LinkedKeyIterator\" is prohibited.",
"state": "af0ifjsldkj",
"error": "not_found"
}

The issue is not present if user logged out before redoing the OIDC login flow.

vharseko
@vharseko
@barramandi Configuaration->Scripting-> for all instancess add in Engine Configuration "Java class whitelist" java.util.LinkedHashMap$LinkedKeyIterator
Oleksandr
@ahavriluk
Quick start guide is incorrect. First of all you have to specify port when you setup resource. Second you don't use name WebAgent - it won't work. You need to name it apache_agent. Then you have to make sure docker containers can talk to each other (--net host option?). Oh, yeah, apache_agent doesn't work on Mac.
vharseko
@vharseko
Maxim Thomas
@maximthomas
@ahavriluk, could you provide more info about apache_agent on Mac?
Maxim Thomas
@maximthomas

@ahavriluk,

Then you have to make sure docker containers can talk to each other (--net host option?)

default driver is bridge, according to Docker documentation:

bridge: The default network driver. If you don’t specify a driver, this is the type of network you are creating. Bridge networks are usually used when your applications run in standalone containers that need to communicate.

I think, setting network is unnecessary, containers can see each other via bridge network

Oleksandr
@ahavriluk
I had connectivity issues. The instructions could have been tested. Took me a while to figure all errors out. It still doesn't say to specify the port number when policy for Resource *://example:com/? is set. I suggest you test it from scratch: get a fresh linux VM and try to follow instructions.
Oleksandr
@ahavriluk
Another issue. I was trying to setup SAML Authentication and test it with testshib.org site.
Was getting this
00:16:33.363 - DEBUG [edu.internet2.middleware.shibboleth.idp.util.HttpServletHelper:339] - LoginContext key cookie was not present in request
00:16:33.364 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler:188] - Incoming request does not contain a login context, processing as first leg of request
00:16:33.364 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler:366] - Decoding message with decoder binding 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect'
00:16:33.367 - DEBUG [edu.internet2.middleware.shibboleth.common.relyingparty.provider.SAMLMDRelyingPartyConfigurationManager:128] - Looking up relying party configuration for http://openam.example.com:8080/openam
00:16:33.367 - DEBUG [edu.internet2.middleware.shibboleth.common.relyingparty.provider.SAMLMDRelyingPartyConfigurationManager:134] - No custom relying party configuration found for http://openam.example.com:8080/openam, looking up configuration based on metadata groups.
00:16:33.367 - DEBUG [edu.internet2.middleware.shibboleth.common.relyingparty.provider.SAMLMDRelyingPartyConfigurationManager:157] - No custom or group-based relying party configuration found for http://openam.example.com:8080/openam. Using default relying party configuration.
00:16:33.368 - WARN [org.opensaml.saml2.binding.security.SAML2AuthnRequestsSignedRule:81] - SPSSODescriptor role metadata for entityID 'http://openam.example.com:8080/openam' could not be resolved
00:16:33.368 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler:387] - Decoded request from relying party 'http://openam.example.com:8080/openam'
00:16:33.369 - WARN [edu.internet2.middleware.shibboleth.idp.profile.AbstractSAMLProfileHandler:305] - No metadata for relying party http://openam.example.com:8080/openam, treating party as anonymous
00:16:33.369 - WARN [edu.internet2.middleware.shibboleth.idp.profile.saml2.SSOProfileHandler:222] - SAML 2 SSO profile is not configured for relying party http://openam.example.com:8080/openam
Oleksandr
@ahavriluk
Whe using Fedlet to implement SAML Service Provider, do I need a web agent installed?
Oleksandr
@ahavriluk
Oh cool!
Can I use Fedlet as SP and ADFS (active directory) or Shibboleth as IdP?
vharseko
@vharseko
@ahavriluk
Create a Fedlet configuration to enable federation between an identity provider hosted on this instance of OpenAM and a remote service provider that does not have a federation solution. Fedlet as SP -> OpenAM IDP -> OpenAM SP -> Other IdP
Oleksandr
@ahavriluk
@vharseko Is it possible to have Fedlet SP -> Other IdP? I am afraid I don't understand how to setup the link in the middle OpenAM IDP ->OpenAM SP->Other IdP. Do you have any details how to do it?
Meanwhile I have found this blog post and trying to make it work, what do you think? http://htotapally.blogspot.com/2013/11/federated-authentication-using-openam.html